Connecting to Healthcare Apps - Tips for Payers and Implementors of FHIR-Based APIs
Introduction
The Centers for Medicare and Medicaid Services (CMS) and the Office of the National Coordinator of Health IT (ONC) released final rules in 2020 under authority of the 21st Century Cures Act in an effort to advance access to health information and improve care coordination. With the CMS Interoperability and Patient Access Rule (CMS 9115-F), members can now select an app that supports the technical standards to access their personal health information (PHI) from their health plan.
For this to be possible, however, payers must establish and provide open access to APIs for an app unless they can demonstrate such a connection would pose an unreasonable security risk to the PHI in their systems. This requirement puts a large and potentially unmanageable burden on payers as they attempt to ensure the security of their members’ data while also complying with CMS and ONC rules.
In July of 2021, the Creating Access to Real-time Information Now (CARIN) Alliance released the CARIN Alliance Application Registration Manual (version 0.1), a guide discussing the best practices and recommendations for payers, app developers, and implementers of Fast Healthcare Interoperability Resources (FHIR®)-based APIs.
The CARIN guide was produced to provide a consistent set of practices to support the CARIN Code of Conduct, the set of principles guiding implementers of consumer-directed health information sharing. Attestation to the CARIN Code of Conduct is voluntary and supports bringing stakeholders in healthcare together with those not specifically within healthcare such as app developers and technology vendors, to establish a health information sharing ecosystem.
Regulatory Background
On July 1, 2021, the CMS Interoperability and Member Access Rule required CMS-regulated payers to maintain application programing interfaces (APIs) that conform with API technical standards finalized by the HHS in the ONC 21st Century Cures Act Final Rule. These APIs are built using FHIR-based standards that allow members to view their claims and clinical information through the app of their choice. Additionally, any payer that maintains clinical data must make these data available through standards-based member access APIs.
Payers also must offer members educational resources so they can be better informed about the privacy and security-related factors they need to consider when choosing an app. Payers also are required to help members determine if their app is subject to HIPAA rules, while also explaining how they can submit any complaints they may have to regulatory authorities.
How ZeOmega Can Help
ZeOmega stands ready to support our payer clients in meeting the aggressive time frames specified by interoperability regulations. HealthUnity is the first interoperability solution to achieve TDRAAP accreditation and Drummond certification. Having both these credentials means that the HealthUnity solution can be trusted for payers to allow access member data and that it conforms with mandated FHIR standards. Coupled with HITRUST privacy and security certification separates HealthUnity from all other platforms on the market—proving it to be a leader for interoperability, security, functionality, and value.
To learn more, contact us at sales@zeomega.com or 214.618.9880.